GHSA-wjp3-4xcq-598p

Source

https://github.com/advisories/GHSA-wjp3-4xcq-598p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wjp3-4xcq-598p/GHSA-wjp3-4xcq-598p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wjp3-4xcq-598p

Aliases

CVE-2012-3353

Published

2022-05-14T03:46:15Z

Modified

2024-02-16T08:21:55.179411Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Apache Sling JCR ContentLoader XmlReader Arbitrary File Load

Details

The Apache Sling JCR ContentLoader 2.1.4 XmlReader used in the Sling JCR content loader module makes it possible to import arbitrary files in the content repository, including local files, causing potential information leaks. Users should upgrade to version 2.1.6 of the JCR ContentLoader

Database specific

{
    "nvd_published_at": "2018-01-09T02:29:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-29T23:58:02Z"
}

References

Affected packages

Maven / org.apache.sling:org.apache.sling.jcr.contentloader

Package

Name: org.apache.sling:org.apache.sling.jcr.contentloader; View open source insights on deps.dev
Purl: pkg:maven/org.apache.sling/org.apache.sling.jcr.contentloader

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.6

Affected versions

2.*

2.0.2-incubator

2.0.4-incubator

2.0.6

2.1.0

2.1.2

2.1.4